Resource Type: openssl_certutil

Defined in:
lib/puppet/type/openssl_certutil.rb
Providers:
certutil

Summary

Manage trusted certificates in the system-wide NSS database

Overview

This type installs the certificate specified with ‘filename` as a trusted certificate if `ensure => present`. The trust is removed if `ensure => absent`.

The ‘certutil` executable is required for this type. In general it is only available on RedHat-based distributions.

The certificate file itself is not managed by this type.

The file must already exist on the node before it can be added to the NSS database. Make sure you add the correct dependency if you manage the certificate file with Puppet.

There is an unsolved issue if a certificate is added a second time to the NSS database using a different name. In this case ‘certutil` does not add the certificate but also does not report an error. Therefore Puppet will try to add the certificate every time it runs. As a workaround the already installed certificate should be removed.

Examples:

Add a certificate to the NSS database and set trust level for SSL


openssl_certutil { '/etc/ssl/certs/My-Root-CA.crt':
  ensure    => present,
  ssl_trust => 'C',
}

Remove a certificate from the NSS database


openssl_certutil { '/etc/ssl/certs/My-Root-CA.crt':
  ensure => absent,
}

Properties

  • email_trust

    Email trust attributes for the certificate.

    Supported values:
    • %r{[pPcCT]*}
  • ensure (defaults to: present)

    The basic property that the resource should be in.

    Supported values:
    • present
    • absent
  • object_signing_trust

    Object signing trust attributes for the certificate.

    Supported values:
    • %r{[pPcCT]*}
  • ssl_trust

    SSL trust attributes for the certificate.

    Supported values:
    • %r{[pPcCT]*}

Parameters

  • filename

    The filename of the certificate.

  • name (namevar)

    The nickname of the certificate in the certificate database.

  • provider

    The specific backend to use for this ‘openssl_certutil` resource. You will seldom need to specify this — Puppet will usually discover the appropriate provider for your platform.